The DFIR Report

ransomhub ransomware rdp

Hide Your RDP: Password Spray Leads to RansomHub Deployment

June 30, 2025

Key Takeaways Case Summary This intrusion began in November 2024 with a password spray attack targeting an internet-facing RDP server. Over the course of several hours, the threat actor attempted … Read More

elpacoteam mimic ransomware

Another Confluence Bites the Dust: Falling to ELPACO-team Ransomware

May 19, 2025

Key Takeaways The DFIR Report Services Table of Contents: Case Summary In late June 2024, an unpatched Confluence server was compromised via CVE-2023-22527, a template injection vulnerability, first from IP … Read More

ransomware sliver

Navigating Through The Fog

April 28, 2025

Key Takeaways

An open directory associated with a ransomware affiliate, likely linked to the Fog ransomware group, was discovered in December 2024. It contained tools and scripts for reconnaissance, exploitation, lateral movement, and persistence…

blacksuit bruteratel cobaltstrike ransomware sectoprat

Fake Zoom Ends in BlackSuit Ransomware

March 31, 2025

Key Takeaways Case Summary This case from May 2024 started with a malicious download from a website mimicking the teleconferencing application Zoom. When visiting the website and downloading a file … Read More

exploit lockbit ransomware

Confluence Exploit Leads to LockBit Ransomware

February 24, 2025

Key Takeaways Case Summary The intrusion started with the exploitation of CVE-2023-22527, a critical remote code execution vulnerability in Confluence, against a Windows server. The first indication of threat actor … Read More

cobaltstrike lockbit ransomware

Cobalt Strike and a Pair of SOCKS Lead to LockBit Ransomware

January 27, 2025

Key Takeaways Case Summary This intrusion began near the end of January 2024 when the user downloaded and executed a file using the same name (setup_wm.exe) and executable icon, as … Read More

cobaltstrike more_eggs

The Curious Case of an Egg-Cellent Resume

December 2, 2024

Key Takeaways Private Threat Briefs: Over 20 private DFIR reports annually. Threat Feed: Focuses on tracking Command and Control frameworks like Cobalt Strike, Metasploit, Sliver, etc. All Intel: Includes everything from … Read More

cobaltstrike opendir

Inside the Open Directory of the “You Dun” Threat Group

October 28, 2024

Key Takeaways The DFIR Report Services Reports such as this one are part of our All Intel service and are categorized as Threat Actor Insights. Private Threat Briefs: Over 20 … Read More

blackcat cobaltstrike ransomware sliver

Nitrogen Campaign Drops Sliver and Ends With BlackCat Ransomware

September 30, 2024

Key Takeaways Contact us today for pricing or a demo! Table of Contents: Case Summary Analysts Initial Access Execution Persistence Privilege Escalation Defense Evasion Credential Access Discovery Lateral Movement Collection Command … Read More

adfind blacksuit cobaltstrike ransomware

BlackSuit Ransomware

August 26, 2024

Key Takeaways In December 2023, we observed an intrusion that started with the execution of a Cobalt Strike beacon and ended in the deployment of BlackSuit ransomware. The threat actor … Read More

opendir

Threat Actors’ Toolkit: Leveraging Sliver, PoshC2 & Batch Scripts

August 12, 2024

Key Takeaways The DFIR Report Services Contact us today for pricing or a demo! Table of Contents: Summary Analysts Adversary Infrastructure Capability Victim Indicators Summary In this report, we delve into … Read More

alphv cobaltstrike icedid ransomware

IcedID Brings ScreenConnect and CSharp Streamer to ALPHV Ransomware Deployment

June 10, 2024

Key Takeaways The DFIR Report Services → Click here to access the DFIR Lab related to this report ← Five new sigma rules were created from this report and added … Read More

adfind cobaltstrike dagonlocker icedid

From IcedID to Dagon Locker Ransomware in 29 Days

April 29, 2024

Key Takeaways In August 2023, we observed an intrusion that started with a phishing campaign using PrometheusTDS to distribute IcedID. IcedID dropped and executed a Cobalt Strike beacon, which was … Read More

adfind Exfiltrate Data icedid nokoyawa ransomware

From OneNote to RansomNote: An Ice Cold Intrusion

April 1, 2024

Key Takeaways We provide a range of services, one of which is our Threat Feed, specializing in monitoring Command and Control frameworks like Cobalt Strike, Metasploit, Sliver, Viper, Mythic, Havoc, … Read More

Threat Briefs

Threat Brief: WordPress Plugin Exploit Leads to Godzilla Web Shell, Discovery & New CVE

March 4, 2024

Below is a recent Threat Brief that we shared with our customers. Each year, we produce over 20 detailed Threat Briefs, which follow a format similar to the below. Typically, … Read More

gootloader

SEO Poisoning to Domain Control: The Gootloader Saga Continues

February 26, 2024

Key Takeaways More information about Gootloader can be found in the following reports: The DFIR Report, GootloaderSites, Mandiant, Red Canary, & Kroll. An audio version of this report can be … Read More

Exfiltrate Data ransomware rdp trigona

Buzzing on Christmas Eve: Trigona Ransomware in 3 Hours

January 29, 2024

Key Takeaways In late December 2022, we observed threat actors exploiting a publicly exposed Remote Desktop Protocol (RDP) host, leading to data exfiltration and the deployment of Trigona ransomware. On … Read More

metasploit opendir sliver

Lets Open(Dir) Some Presents: An Analysis of a Persistent Actor’s Activity

December 18, 2023

This report is a little different than our typical content. We were able to analyze data from a perspective we typically don’t get to see… a threat actor’s host! In … Read More

bluesky cobaltstrike ransomware

SQL Brute Force Leads to BlueSky Ransomware

December 4, 2023

In December 2022, we observed an intrusion on a public-facing MSSQL Server, which resulted in BlueSky ransomware. First discovered in June 2022, BlueSky ransomware has code links to Conti and … Read More

netsupport

NetSupport Intrusion Results in Domain Compromise

October 30, 2023

NetSupport Manager is one of the oldest third-party remote access tools still currently on the market with over 33 years of history. This is the first time we will report … Read More

cobaltstrike Hive ransomware wmiexec

From ScreenConnect to Hive Ransomware in 61 hours

September 25, 2023

In 2022, The DFIR Report observed an increase in the adversarial usage of Remote Management and Monitoring (RMM) tools. When compared to post-exploitation channels that heavily rely on terminals, such … Read More